Bertie's Nursery Logo

Data Protection Policy

Data protection is an important legal compliance issue for the Downs School including Bertie’s Nursery School (“the School”). During the course of the School's activities it collects, stores and processes personal data (sometimes sensitive in nature) about staff, pupils, their parents, suppliers and other third parties in a manner more fully detailed in the School’s Privacy Notices. It is therefore an area where all staff have a part to play in ensuring we comply with and are mindful of our legal obligations, whether that personal data is sensitive or routine.

The law (the Data Protection Act 1998) changed on 25 May 2018 with the implementation of the General Data Protection Regulation (GDPR). This is an EU Regulation that is directly effective in the UK and throughout the rest of Europe. A new Data Protection Act 2018 has also been passed to deal with certain issues left for national law: this includes specific provisions of relevance to independent schools. In particular, in the context of our safeguarding obligations, the School has a heightened duty to ensure that the personal data of pupils is at all times handled responsibly and securely.

While this new law does set out useful legal grounds in this area, in most ways this new law is strengthening the rights of individuals and placing tougher compliance obligations on organisations including schools that handle personal information. The Information Commissioner's Office (ICO) is responsible for enforcing data protection law and has powers to take action for breaches of the law.

Those who are involved in the processing of personal data are obliged to comply with this policy when doing so. Accidental breaches will happen and may not be a disciplinary issue, but any breach of this policy may result in disciplinary action. This policy may be amended at any time.

This policy sets out the School’s expectations and procedures with respect to processing any personal data we collect from data subjects (e.g. including parents, pupils, employees).

Key data protection terms used in this data protection policy are:

  • Data controller – an organisation that determines the purpose and means of the processing of personal data. For example, the School is the controller of pupils’ personal information. As a data controller, we are responsible for safeguarding the use of personal data.
  • Data processor – an organisation that processes personal data on behalf of a data controller, for example a payroll provider or other supplier of services.
  • Personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  • Personal information (or personal data): any information relating to a living individual (a data subject), including name, identification number, location or online identifier such as an email address. Note that personal information created in the ordinary course of work duties (such as in emails, notes of calls, and minutes of meetings) is still personal data and regulated by data protection laws, including the GDPR. Note also that it includes expressions of opinion about the individual or any indication of someone’s intentions towards that individual.
  • Processing – virtually anything done with personal information, including obtaining or collecting it, structuring it, analysing it, storing it, sharing it internally or with third parties (including making it available to be viewed electronically or otherwise), altering it or deleting it.
  • Special categories of personal data – data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health and medical conditions, sex life or sexual orientation, genetic or biometric data used to identify an individual. There are also separate rules for the processing of personal data relating to criminal convictions and offences.

1. Data Protection Officer / Data Protection Lead

The School does not meet the required threshold for having a Data Protection Office (DPO), since the School is not a public body, or perform ‘large scale monitoring’, or monitor data subjects at scale). On that basis, the Bursar is the Data Protection Lead, without the need for a formal DPO role in place. The ICO registration certificate therefore does not show a DPO for the School.

The Bursar will endeavour to ensure that all personal data is processed in compliance with this Policy and the principles of the GDPR, including briefing staff on the key requirements. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Bursar.

2. The Principles

The GDPR sets out six principles relating to the processing of personal data which must be adhered to by data controllers (and data processors). These require that personal data must be:

  • Processed lawfully, fairly and in a transparent manner;
  • Collected for specific and explicit purposes and only for the purposes it was collected for;
  • Relevant and limited to what is necessary for the purposes it is processed;
  • Accurate and kept up to date;
  • Kept for no longer than is necessary for the purposes for which it is processed; and
  • Processed in a manner that ensures appropriate security of the personal data.

The GDPR's 'accountability' principle also requires that the School not only processes personal data in a fair and legal manner but that we are also able to demonstrate that our processing is lawful. This involves, among other things:

  • keeping records of our data processing activities, including by way of logs and policies;
  • documenting significant decisions and assessments about how we use personal data; and
  • generally having an 'audit trail' for data protection and privacy matters, including for example when and how our Privacy Notices were updated, how and when data protection consents were collected from individuals, how breaches were dealt with, etc.

3. Lawful grounds for data processing

Under the GDPR there are several different lawful grounds for processing personal data. One of these is consent. However, because the definition of what constitutes consent has been tightened under GDPR (and the fact that it can be withdrawn by the data subject) it is generally considered preferable to rely on another lawful ground where possible.

One of these alternative grounds is 'legitimate interests', which is the most flexible basis for processing. However, it does require transparency and a balancing assessment between the rights of the individual and the interests of the Controller. It can be challenged by data subjects and also means the Controller is taking on extra responsibility for considering and protecting people's rights and interests. The School’s legitimate interests are set out in its Privacy Notices, as GDPR requires.

Other lawful grounds include:

  • compliance with a legal obligation, including in connection with employment and diversity;
  • contractual necessity, e.g. to perform a contract with staff or parents;
  • a narrower set of grounds for processing special categories of personal data (such as health information), which includes explicit consent, emergencies, and specific public interest grounds.

4. Responsibilities of all staff

Record-keeping

It is important that personal data held by the School is accurate, fair and adequate. You are required to inform the School if you believe that your personal data is inaccurate or untrue or if you are dissatisfied with the information in any way. Similarly, it is vital that the way you record the personal data of others – in particular colleagues, pupils and their parents – is accurate, professional and appropriate.

Staff should be aware of the rights set out below, whereby any individuals about whom they record information in emails and notes on School business may have the right to see that information. This absolutely must not discourage staff from recording necessary and sometimes difficult records of incidents or conversations involving colleagues or pupils, in accordance with the School’s other policies, and grounds may sometimes exist to withhold these from such requests. However, the starting position is to record every document or email in such a way that you would be able to stand by it if the person about whom it was recorded were to see it.

Data handling

All staff have a responsibility to handle the personal data which they come into contact with fairly, lawfully, responsibly and securely and in accordance with all relevant School policies and procedures and the School’s Employment Handbook. In particular, there are data protection implications across a number of areas of the School’s wider responsibilities such as safeguarding and IT security, so all staff must also read and comply with the following policies:

  • Child Protection and Safeguarding Policy
  • E-Safety & Acceptable Use of IT Policy
  • Data Retention and Destruction Policy
  • Information Security Policy
  • Social Media Policy (Employment Handbook)

Responsible processing also extends to the creation and generation of new personal data / records, as above, which should always be done fairly, lawfully, responsibly and securely.

Avoiding, mitigating and reporting data breaches

One of the key new obligations contained in the GDPR is on reporting personal data breaches. Data controllers must report certain types of personal data breach (those which risk an impact to individuals) to the ICO within 72 hours. A ‘self-assessment’ may be conducted in certain circumstances, as stated in ICO guidance.

In addition, data controllers must notify individuals affected if the breach is likely to result in a "high risk" to their rights and freedoms. In any event, the School must keep a record of any personal data breaches, regardless of whether we need to notify the ICO. If you become aware of a personal data breach you must notify the Bursar. If staff are in any doubt as to whether or not you should report something, it is always best to do so. A personal data breach may be serious, or it may be minor, and it may involve fault or not, but the School always needs to know about them to make a decision.

As stated above, the School may not need to treat the incident itself as a disciplinary matter – but a failure to report could result in significant exposure for the School, and for those affected, and could be a serious disciplinary matter whether under this Policy or the staff member’s contract.

Care and data security

More generally, we require all School staff to remain conscious of the data protection principles (see section 2 above), to attend any training we require them to, and to use their best efforts to comply with those principles whenever they process personal information. Data security is not simply an online or digital issue but one that affects daily processes: filing and sending correspondence, notably hard copy documents. Staff should always consider what the most assured and secure means of delivery is, and what the consequences would be of loss or unauthorised access.

We expect all those with management / leadership responsibilities to be particular champions of these principles and to oversee the swift reporting of any concerns about how personal information is used by the School to the Bursar, and to identity the need for (and implement) regular staff training.

5. Storage, retention and timely destruction of data

GDPR states that ‘data shall not be kept for longer than is necessary’. All personal data have different retention periods to adhere to legislations, business needs or storage limitations.

A key step to ensuring compliance with the data protection legislation is to ensure that only personal data that is required by the School is collected. This immediately helps minimise the volumes of personal data in the School’s care. A secondary step to this principle is to ensure that, once held, the personal data is retained in minimal known and secure locations. This substantially increases the ease with which the personal data can be protected from harm.

A Data Retention and Destruction Policy is held by the School, which clearly instructs where and how long data can be retained. The policy also details the office holder who is responsible for certain categories of data, and the steps for data destruction including the length of retention and the method of destruction.

The School generally seeks to balance the benefits of keeping detailed and complete records – for the purposes of good practice, archives or general reference – with practical considerations of storage, space and accessibility. There are also legal considerations in respect of retention of records and documents which must be borne in mind. These include:

  • statutory duties and government guidance relating to schools, including for safeguarding;
  • disclosure requirements for potential future litigation;
  • contractual obligations;
  • the law of confidentiality and privacy; and
  • the GDPR and Data Protection Act when fully embedded will inform minimum and maximum retention periods, as well as what to keep and who should be able to access it.

To support our retention policies, we are (a) communicating the reasons for the policy in Privacy Notices and staff or parent contracts; and (b) ensuring any records necessary to keep long-term are kept very secure, accessible only by trained staff on a need-to-know basis.

6. Rights of Individuals and Subject Access Requests

– See Appendix - Handling SARS

In addition to the School’s responsibilities when processing personal data, individuals have certain specific rights, perhaps most significantly that of access to their personal data held by a data controller (i.e. the School). This is known as the 'subject access right' (or the right to make 'subject access requests'). Such a request must be dealt with promptly and does not need any formality, nor to refer to the correct legislation. If you become aware of a subject access request (or indeed any communication from an individual about their personal data), you must tell the Bursar as soon as possible.

Individuals also have legal rights to:

  • require us to correct the personal data we hold about them if it is inaccurate;
  • request that we erase their personal data (in certain circumstances);
  • request that we restrict our data processing activities (in certain circumstances);
  • receive from us the personal data we hold about them for the purpose of transmitting it in a commonly used format to another data controller;
  • object, on grounds relating to their particular situation, to any of our particular processing activities where the individual feels this has a disproportionate impact on them; and
  • object to automated individual decision-making, including profiling (where a significant decision is made about the individual without human intervention), and to direct marketing, or to withdraw their consent where we are relying on it for processing their personal data.

Except for the final bullet point, none of these rights for individuals are unqualified and exceptions may well apply. In any event, however, if you receive a request from an individual who is purporting to exercise one or more of their data protection rights, you must tell the Bursar as soon as possible.

Further guidance on the procedure and actions for Subject Access Requests is found in an Appendix to this Policy.

7. Data Security: online and digital

The School must ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

In conjunction with this policy, staff should read the Information Security Policy.

8. Summary

It is in everyone's interests to get data protection right and to think carefully about data protection issues: this means handling all personal information with which you come into contact fairly, lawfully, securely and responsibly.

A good rule of thumb here is to ask yourself questions such as:

  • Would I be happy if my own personal information were being used (for example, shared with a third party) in the way I am proposing? Would I expect it?
  • Would I wish to stand by how I have recorded this information in an email or official record if the person concerned was able to see it?
  • What would be the consequences of my losing or misdirecting this personal data?

Data protection law is therefore best seen not as oppressive red tape, or a reason not to do something necessary or important, but a code of useful and sensible checks and balances to improve how we handle and record personal information and manage our relationships with people. This is an important part of the School’s culture and all its staff and representatives need to be mindful of it.

This policy was adopted on

Signed on behalf of the School

Date for review

1/6/22

J Barclay

1/6/23

Overview required by RRC Committee - date

Policy upload to ISI Portal - date

Policy uploaded to website(s) - date

Nov21 – completed;

Next due: Nov22

N/A

N/A